E R T N
P
X
E INIO
OP
As a case in point, consider an
automated service that is either hosted
by the company itself or connected to
a cloud-based AI engine as a service.
To effectively respond to queries, this
service needs to access backend
resources. This often means having a
database fronted by middleware that
allows queries via a secure application
programming interface (API). The
contents of the database will vary
from company to company and may
include anything from hotel reservation
information to customer data – and it
may even accept credit card information.
Here’s a checklist of basic security
questions to cover before implementing
a chatbot that is fully automated and
AI-driven:
• Is the API connecting your
organisation’s website and the
chatbot engine secured using
access control lists (ACLs)? You
can accomplish this by using IP
addresses, geofencing, etc.
• How do you approach the
management of authentications
between the systems (webservice,
engine, middleware, cloud, etc.)?
• How do you apply vulnerability
management best practices
across the architecture supporting
the chatbot? You should also find a
way to implement routine
penetration testing.
• Have you adequately secured
privileges/privileged access and
enforced least privilege?
• What data can the chatbot query – is
any of it sensitive? Do any specific
regulations apply to how this data
is collected, stored, handled?
For instance, do communications
contain information that may
warrant extending your scope of
regulations, like PCI DSS? Also, will
communications ‘self-destruct’ in
accordance with certain regulations?
• Is there a process for logging and
detecting potential suspicious
queries that may be designed to
exploit the AI engine or leak data?
42
Organisations
should continuously
inventory the
supply chain based
on assets and
communications from
chatbot, webservice
and provider to
maintain a risk
assessment plan.
• Can you mitigate or prevent malware
or distributed denial of services
(DDoS) that target your service?
• Do you ensure end-to-end encryption
for all chatbot communication and
what protocols are you using?
In addition to carefully considering these
security implications, organisations
should continuously inventory the
supply chain based on assets and
communications from chatbot,
webservice and provider to maintain a
risk assessment plan. Any changes can
easily affect some of the best practices
listed above.
Protecting your employees
during conversation marketing
In conversation marketing, a human is
actually responding to the queries via
the chat window. Several organisations
try to make the experience really
‘authentic’ and, as a consequence, do
not use fake names or pictures for the
human chat box representative.
However, if a company displays the
full name of their chat representative
inside the chat box, with just a little
social engineering, a bad actor
can easily uncover data about the
representative that can be used as
part of an exploit. This is particularly
easy if the representative has a social
media profile. So to that end, if you do
choose to use conversation marketing,
it is critical that you follow a few key
security best practices.
• For one, never reveal the
employees’ full name and instead
use an alias. While this might seem
counterproductive (remember the
whole making the experience more
‘authentic’), using the full name or
even just the first name and last
initial poses a high risk as a little
research could uncover personal
information about the representative.
• If the chat service displays a picture,
photo, or avatar of the representative,
use a unique image that cannot be
Issue 18
|
www.intelligentciso.com